System and method to send a message using multiple authentication mechanisms

ABSTRACT

A system may include a sender computing system to transmit first authentication data in association with a message, the first authentication data conforming to a first authentication mechanism, and to transmit second authentication data in association with the message, the second authentication data conforming to a second authentication mechanism. The system may also include a component to receive the first authentication data in association with the message from the sender computing system, and to receive the second authentication data in association with the message from the sender computing system.

FIELD

Some embodiments relate to sending messages between a sender computing system and a receiver computing system. In particular, some embodiments concern secure transmission of messages from the sender computing system to the receiver computing system using two or more authentication mechanisms.

BACKGROUND

A sender computing system may execute an application that desires a service provided by a receiver computing system. The application may therefore transmit an electronic message to the receiver, the message including service data on which the service is to be provided as well as authentication data identifying a user. The receiver uses the authentication data to perform an authentication action for logging the user into the receiver system. If the authentication action is successful, the receiver executes code under the user to implement the service on the service data.

The above-mentioned application is executed under a user of the sender computing system. The authentication data sent from the sender to the receiver may identify this actual user, or may comprise fixed authentication data that are statically configured and identify a fixed user in the receiver. In the former case, the receiver must be aware of the identity of the actual user in order for the authentication action to be successful.

Conventional communication protocols do not provide sufficiently flexible authentication in certain situations. Systems are therefore desired for improved authentication between a sender computing system and a receiver computing system.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a system according to some embodiments.

FIG. 2 is a flow diagram of a process according to some embodiments.

FIG. 3 is a block diagram of a system to send a message using multiple authentication mechanisms according to some embodiments.

FIG. 4 is a flow diagram of a process executed by the FIG. 3 system according to some embodiments.

DETAILED DESCRIPTION

FIG. 1 is a block diagram of system 100 according to some embodiments. System 100 illustrates a communication scenario in which sender 110 communicates with receiver 120. Other topologies may be used in conjunction with other embodiments.

The elements of system 100 may be located remote from one another and may communicate with one another via a network and/or a dedicated connection. Moreover, each displayed element of system 100 may comprise any number of hardware and/or software elements suitable to provide the functions described herein, some of which are located remote from each other.

According to some embodiments, sender 110 may comprise a sender application that requires a service from receiver 120, which in turn comprises a receiver application. Sender 110 transmits message 112 to receiver 120 as shown, and also transmits authentication data 114 and authentication data 116 in association with message 112. One or both of authentication data 114 and authentication data 116 may be separate from or included within message 112 according to some embodiments.

Authentication data 114 and authentication data 116 may comprise any data based on which receiver 120 may perform an authentication action. In some embodiments, receiver 120 performs an authentication action based on one or both of authentication data 114 and authentication data 116.

One or both of authentication data 114 and authentication data 116, in some embodiments, may identify a principal user under whom sender 110 is executing. Authentication data 114 or authentication data 116 may therefore be used to login the principal user to receiver 120. One or both of authentication data 114 and authentication data 116 may be associated with a fixed anonymous user known to receiver 120 and to sender 110. In such a case, receiver 120 might not be required to have any knowledge of the principal user.

Authentication data 114 conforms to a first authentication mechanism, and authentication data 116 conforms to a second authentication mechanism. Non-exhaustive examples of authentication mechanisms to which authentication data 114 and authentication data 116 may conform include a username/password authentication mechanism (e.g., basic mode or digest mode), an X.509 certificate authentication mechanism, an SAP® logon ticket, and a Security Assertion Markup Language (SAML) assertion. Authentication data 114 and 116 may also or alternatively conform to any other currently- or hereafter-known authentication mechanisms.

According to the username/password authentication mechanism, the username and password of a user are maintained in sender 110. According to the basic mode, sender 110 directly sends the username and password to receiver 120 for authentication and for directly logging into receiver 120. According to the digest mode, a digest (e.g., a one-way hash value) of the stored username and password is sent to receiver 120 for authentication. The digest may be sent with a nonce for avoiding replay attacks.

The X.509 certificate authentication mechanism requires sender 110 to create a signature using a private key and to transmit the signature together with an X.509 certificate containing an associated public key to receiver 120. Accordingly, the user's private key and certificate are maintained in sender 110. As a consequence of the X.509 certificate authentication mechanism, the integrity of the signed message contents is guaranteed.

Sender 110 may also create an SAP-logon ticket for the principal user. The SAP-logon ticket includes a SAP-specific assertion containing the name of the principal user. The assertion is signed by a private key of sender 110.

A SAML assertion includes the name of the principal user and is signed by a trusted attester system against which sender 110 is able to authenticate the subject. The SAML assertion also contains a signature with respect to message 112 in order to associate the assertion to the message contents. SAML assertions include “holder-of-key” assertions in which sender 110 sends a SAML-enriched message to receiver 120 or “sender vouches” assertions in which the aforementioned attester forwards the message to the receiver 120.

Authentication data 114 and authentication data 116 may be transmitted on the transport level (e.g., sent via Hypertext Transfer Protocol communication mechanisms), the message level (e.g., within Simple Object Access Protocol message 112), or in any other suitable manner. According to some embodiments, sender 110 and/or receiver 120 comprises an Advanced Business Application Programming® (ABAP) business system that employs ABAP proxies to communicate via a common protocol. In other embodiments, sender 110 and/or receiver 120 comprises a Java™ proxy executed by an SAP Adapter Engine™ to transmit/receive messages via the common protocol.

Elements described herein as communicating with one another are directly or indirectly capable of communicating over any number of different systems for transferring data, including but not limited to shared memory communication, a local area network, a wide area network, a telephone network, a cellular network, a fiber-optic network, a satellite network, an infrared network, a radio frequency network, and any other type of network that may be used to transmit information between devices. Moreover, communication between systems may proceed over any one or more transmission protocols that are or become known, such as Asynchronous Transfer Mode (ATM), Internet Protocol (IP), Hypertext Transfer Protocol (HTTP) and Wireless Application Protocol (WAP).

FIG. 2 is a flow diagram of process 200 according to some embodiments. Some embodiments of process 200 may provide transmission of a message using multiple authentication mechanisms. In some embodiments, receiver 120 executes program code to perform process 200.

Process 200 and all other processes mentioned herein may be embodied in processor-executable program code read from one or more of a computer-readable medium, such as a floppy disk, a CD-ROM, a DVD-ROM, a Zip™ disk, a magnetic tape, and a signal encoding the process, and then stored in a compressed, uncompiled and/or encrypted format. In some embodiments, hard-wired circuitry may be used in place of, or in combination with, program code for implementation of processes according to some embodiments. Embodiments are therefore not limited to any specific combination of hardware and software.

Initially, at S210, first authentication data is received from a sender computing system in association with a message. The first authentication data conforms to a first authentication mechanism. In this regard, the first authentication mechanism may be used to perform an authentication action based on the first authentication data.

Second authentication data is then received from the sender computing system in association with the message. The second authentication data conforms to a second authentication mechanism. The second authentication mechanism may differ in any degree from the first authentication mechanism.

The first authentication mechanism and the second authentication mechanism may comprise any authentication mechanisms that are or become known. One or both of the first authentication data and the second authentication data may identify a principal user of the sender computing system. One or both of the first authentication data and the second authentication data may be associated with a fixed anonymous user known to the receiver and to the sender computing system.

The first authentication data and the second authentication data may be associated with the message in any manner that is or becomes known, and may be received via any transport protocol that is or becomes known. The first authentication data and the second authentication data may be included within the message or may be separate from the message. The message, the first authentication data and the second authentication data may be received simultaneously according to some embodiments of process 200.

FIG. 3 is a detailed block diagram of system 300 according to some embodiments. System 300 may comprise an implementation of system 100 of FIG. 1. Accordingly, system 300 may execute process 200 in some embodiments.

System 300 includes sender computing system 310, intermediary component 320 and receiver computing system 330. Sender computing system 310 and intermediary component 320 may operate as described above with respect to elements 110 and 120. A detailed operation of system 300 according to some embodiments will be described below with respect to FIG. 4.

Sender computing system 310 includes application 312, interface adapter 314 and certificate handling 316. Application 312 may comprise an application desiring service from receiver computing system 330, and interface adapter 314 may provide communication via a protocol that is supported by intermediary component 320. Certificate handling 316 may provide system 310 with the ability to secure messages using attester signatures and attester certificates. System 310 may comprise any system capable of executing program code. In this regard, the illustrated elements of system 310 may represent program code providing the particular functions described above.

As shown, interface adapter 314 may transmit message 350 to intermediary component 320. Message 350 includes authentication data 352 and assertion 354. Authentication data 352 may be associated with an actual or fixed anonymous user (U2) known to component 320. Assertion 354 may include an attester signature of message 350 (i.e., including assertion 354) and an attester certificate and authentication data associated with principal user U1, under whom application 312 is executed.

Interface adapter 321 of intermediary component 320 is to receive message 350 from system 310, message pipeline 322 is to apply any required processing to message 350, and interface adapter 323 is to transmit processed message 360 including assertion 364 to receiver computing system 330. According to some embodiments, intermediary component 320 may be implemented by an integration server such as an SAP Exchange Infrastructure™ integration server.

Intermediary component 320 also includes certificate handling block 324 and certificate handling block 325. Generally, block 324 performs an authentication action based on received assertion 354. The authentication action may comprise a validity check of assertion 354 that evaluates the attester's signature and the trustworthiness of the attester certificate based on a trusted relationship with the attester. Block 325 operates to create a second assertion including the authentication data associated with principal user U1, a second attester signature of message 360 and a second attester certificate. Second assertion 364 is included in message 360 prior to transmission to system 330.

Receiver computing system 330 includes application 332, interface adapter 334 and certificate handling 336. Application 332 may be capable of providing the service required by application 312 of sender computing system 310, and interface adapter 334 may support communication with interface adapter 323 of intermediary component 320. Certificate handling 336 may perform an authentication action based on second assertion 364 and on a trusted relationship with an attester associated with block 325. If the action is successful, the authentication data associated with principal user U1 may be used to login to receiver 330 and to execute application 332 under principal user U1 so as to provide the requested service.

FIG. 4 comprises a flow diagram of process 400 according to some embodiments. In some embodiments, intermediary component 320 of FIG. 3 executes program code to perform process 400.

According to process 400, a message is received from a sender computing system at S410. The message includes an assertion and second authentication data. The assertion includes first authentication data, an attester signature of the message, including the assertion, and an attester certificate. The first authentication data is associated with a first authentication mechanism and the second authentication data is associated with a second authentication mechanism. With reference to the example of FIG. 3, interface adapter 321 of intermediary component 320 may receive message 350 from interface adapter 314 at S410.

More specifically, application 312, executing under user U1, may use interface adapter 314 to call a proxy object of executable interfaces for communicating with component 320. The proxy object may create message 350 including authentication data 352 associated with an actual or fixed anonymous user (U2) known to component 320 and to sender 310. The proxy object may also interact with certificate handling 316 to obtain a certificate and to include associated assertion 354 in message 350. As described above, assertion 354 includes an attester signature of message 350, an attester certificate and authentication data associated with principal user U1. According to some embodiments, the proxy object and interface adapter 314 also operate to transmit message 350 via the Web Services protocol.

Next, at S420, an authentication action is performed based on the second authentication data. The authentication action may be performed based on the second authentication mechanism that is associated with the received second authentication data. For example, in a case that the second authentication data (e.g., U2 authentication data) comprises a username/password, the authentication action performed at S420 may comprise checking the username/password against a stored username/password. In the case of a digest mode username/password mechanism, component 420 re-creates the hash value prior to checking the username/password.

Performance of the authentication action may comprise checking if a received certificate is trusted in a case that the second authentication mechanism comprises an X.509 certificate-based mechanism. Such a mechanism may require configuration or implementation of a mapping from the certificate to an actual user. An SAP logon ticket mechanism and an SAML assertion-based mechanism also require an established trust relationship between the ticket creator and component 320. Moreover, the SAML assertion-based mechanism utilizes a mapping of the principal name to an actual user.

The received message is processed at S430. The message may be processed in any manner. In some embodiments of S430, intermediary component 320 may process message 350 in order to provide messaging-related services to sender 310 and receiver 330. Such services may include message processing at the transport level, message processing at the message level, and/or any other desired message processing. Intermediary component 320 may provide dynamic routing of messages received from sender 310 and/or mapping of message contents based on different message formats supported by sender 310 and receiver 330.

The processed message and the first authentication data are transmitted to a receiver computing system at S440. Again with reference to FIG. 3, processed message 360 including second assertion 364 may be transmitted to receiver 330 at S440. Second assertion 364 may include the first authentication data, a second attester signature of message 360, and a second attester certificate created by certificate handling block 325.

According to some embodiments, interface adapter 334 receives message 360 from interface adapter 323 of intermediary component 320 and certificate handling 336 performs an authentication action based on second assertion 364 and on a trusted relationship with the attester associated with block 325. After successful authentication, application 332 executes under principal user U1 to provide the requested service.

The embodiments described herein are solely for the purpose of illustration. Those skilled in the art will recognize other embodiments may be practiced with modifications and alterations limited only by the claims. 

1. A method comprising: receiving first authentication data in association with a message from a sender computing system, the first authentication data conforming to a first authentication mechanism; and receiving second authentication data in association with the message from the sender computing system, the second authentication data conforming to a second authentication mechanism.
 2. A method according to claim 1, further comprising: performing an authentication action based on only one of the first authentication data and the second authentication data.
 3. A method according to claim 1, further comprising: performing an authentication action of the second authentication data based on the second authentication mechanism; and transmitting the message and the first authentication data to a receiver computing system.
 4. A method according to claim 3, further comprising: processing the message prior to transmitting the message, wherein transmitting the message and the first authentication data comprises transmitting the processed message and the first authentication data to the receiver computing system.
 5. A method according to claim 4, wherein the first authentication data is associated with a user in the sender computing system, and wherein the second authentication data is associated with a fixed anonymous user.
 6. A method according to claim 4, wherein the message comprises the second authentication data and an assertion including the first authentication data, an attester signature of the message, and an attester certificate, and the method further comprising: prior to processing the message, determining whether the attester signature is valid; and prior to processing the message, determining whether the attester certificate is trusted.
 7. A method according to claim 1, wherein the message comprises the first authentication data and the second authentication data.
 8. A method according to claim 7, wherein the message comprises the second authentication data and an assertion including the first authentication data, an attester signature of the message and an attester certificate.
 9. A method according to claim 8, further comprising: performing an authentication action of the second authentication data based on the second authentication mechanism; determining whether the attester signature is valid; and determining whether the attester certificate is trusted.
 10. A medium storing processor-executable program code, the program code comprising: code to receive first authentication data in association with a message from a sender computing system, the first authentication data conforming to a first authentication mechanism; and code to receive second authentication data in association with the message from the sender computing system, the second authentication data conforming to a second authentication mechanism.
 11. A medium according to claim 10, the program code further comprising: code to perform an authentication action based on only one of the first authentication data and the second authentication data.
 12. A medium according to claim 10, the program code further comprising: code to perform an authentication action of the second authentication data based on the second authentication mechanism; and code to transmit the message and the first authentication data to a receiver computing system.
 13. A medium according to claim 12, the program code further comprising: code to process the message prior to transmitting the message, wherein the code to transmit the message and the first authentication data comprises code to transmit the processed message and the first authentication data to the receiver computing system.
 14. A medium according to claim 13, wherein the first authentication data is associated with a user in the sender computing system, and wherein the second authentication data is associated with a fixed anonymous user.
 15. A medium according to claim 13, wherein the message comprises the second authentication data and an assertion including the first authentication data, an attester signature of the message, and an attester certificate, and the program code further comprising: code to determine, prior to processing the message, whether the attester signature is valid; and code to determine, prior to processing the message, whether the attester certificate is trusted.
 16. A medium according to claim 10, wherein the message comprises the first authentication data and the second authentication data.
 17. A medium according to claim 16, wherein the message comprises the second authentication data and an assertion including the first authentication data, an attester signature of the message, and an attester certificate.
 18. A medium according to claim 17, the program code further comprising: code to perform an authentication action of the second authentication data based on the second authentication mechanism; code to determine whether the attester signature is valid; and code to determine whether the attester certificate is trusted.
 19. A system comprising: a sender computing system to transmit first authentication data in association with a message, the first authentication data conforming to a first authentication mechanism, and to transmit second authentication data in association with the message, the second authentication data conforming to a second authentication mechanism; and a component to receive the first authentication data in association with the message from the sender computing system, and to receive the second authentication data in association with the message from the sender computing system.
 20. A system according to claim 19, the component further to perform an authentication action based on only one of the first authentication data and the second authentication data.
 21. A system according to claim 19, further comprising a receiver computing system, wherein the component is further to perform an authentication action of the second authentication data based on the second authentication mechanism, and to transmit the message and the first authentication data to the receiver computing system.
 22. A system according to claim 21, the component further to process the message prior to transmitting the message, wherein transmission of the message and the first authentication data comprises transmission of the processed message and the first authentication data to the receiver computing system.
 23. A system according to claim 22, wherein the first authentication data is associated with a user in the sender computing system, and wherein the second authentication data is associated with a fixed anonymous user.
 24. A system according to claim 22, wherein the message comprises the second authentication data and an assertion including the first authentication data, an attester signature of the message, and an attester certificate, wherein the component is to determine, prior to processing the message, whether the attester signature is valid, and wherein the component is to determine, prior to processing the message, whether the attester certificate is trusted.
 25. A system according to claim 19, wherein the message comprises the first authentication data and the second authentication data.
 26. A system according to claim 25, wherein the message comprises the second authentication data and an assertion including the first authentication data, an attester signature of the message, and an attester certificate.
 27. A system according to claim 26, wherein the component is to perform an authentication action of the second authentication data based on the second authentication mechanism, to determine whether the attester signature is valid, and to determine whether the aftester certificate is trusted. 